Search squid archive

Re: Proxy Chaining with ssl_bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/12/18 1:03 am, Christof Gerber wrote:
> I have a squid 3.5 as forward proxy that does ssl_bump by default.
> Some traffic I need to forward in addition to a second proxy by proxy
> chaining. The following configuration works for HTTP traffic but not
> with HTTPS. I found out through
> https://www.spinics.net/lists/squid/msg84767.html that this is because
> Squid 3.5 is not capable of doing ssl_bump + proxy chaining because
> the first proxy in the chain won't send a CONNECT after ssl_bump was
> performed. My question is:
> 
> 1. Is this finding still up-to-date , saying that Squid 3.5 does not
> support ssl_bump + proxy chaining. How is it for Squid 4?

The situation is better and constantly being improved. But the official
releases are still not doing CONNECT to upstream peers in the case where
traffic is fully decrypted by the first proxy. Only the cases where
decryption is avoided with splice or on_unsupported_protocol tunnel's.

IIRC Measurement Factory had an experimental git branch to add CONNECT
over non-TLS/SSL peers. I'm not sure what the status is on that now, it
has not been submitted for merge auditing yet.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux